NIS 2 directive

The legal basis of Directive (EU) 2016/1148 was Article 114 of the Treaty on the Functioning of the European Union (TFEU), the objective of which is the establishment and functioning of the internal market by enhancing measures for the approximation of national rules. The cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements imposed on entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; providing services or carrying out activities which are economically significant vary considerably among Member States in terms of type of requirement, their level of detail and the method of supervision. Those disparities entail additional costs and create difficulties for entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that offer goods or services across borders. Requirements imposed by one Member State that are different from, or even in conflict with, those imposed by another Member State, may substantially affect such cross-border activities. Furthermore, the possibility of the inadequate design or implementation of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements in one Member State is likely to have repercussions at the level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of other Member States, in particular given the intensity of cross-border exchanges. The review of Directive (EU) 2016/1148 has shown a wide divergence in its implementation by Member States, including in relation to its scope, the delimitation of which was very largely left to the discretion of the Member States. Directive (EU) 2016/1148 also provided the Member States with very wide discretion as regards the implementation of the security and incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reporting obligations laid down therein. Those obligations were therefore implemented in significantly different ways at national level. There are similar divergences in the implementation of the provisions of Directive (EU) 2016/1148 on supervision and enforcement.

All those divergences entail a fragmentation of the internal market and can have a prejudicial effect on its functioning, affecting in particular the cross-border provision of services and the level of cyber resilience due to the application of a variety of measures. Ultimately, those divergences could lead to the higher vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; of some Member States to cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, with potential spill-over effects across the Union. This Directive aims to remove such wide divergences among Member States, in particular by setting out minimum rules regarding the functioning of a coordinated regulatory framework, by laying down mechanisms for effective cooperation among the responsible authorities in each Member State, by updating the list of sectors and activities subject to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; obligations and by providing effective remedies and enforcement measures which are key to the effective enforcement of those obligations. Therefore, Directive (EU) 2016/1148 should be repealed and replaced by this Directive.

With the repeal of Directive (EU) 2016/1148, the scope of application by sectors should be extended to a larger part of the economy to provide a comprehensive coverage of sectors and services of vital importance to key societal and economic activities in the internal market. In particular, this Directive aims to overcome the shortcomings of the differentiation between operators of essential services and digital service means a service as defined in Article 1(1), point (b), of Directive (EU) 2015/1535 of the European Parliament and of the Council (^30^); Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1). providers, which has been proven to be obsolete, since it does not reflect the importance of the sectors or services for the societal and economic activities in the internal market.

Under Directive (EU) 2016/1148, Member States were responsible for identifying the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; which met the criteria to qualify as operators of essential services. In order to eliminate the wide divergences among Member States in that regard and ensure legal certainty as regards the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations for all relevant entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, a uniform criterion should be established that determines the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; falling within the scope of this Directive. That criterion should consist of the application of a size-cap rule, whereby all entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; which qualify as medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; under Article 2 of the Annex to Commission Recommendation 2003/361/EC(⁵)Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36)., or exceed the ceilings for medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; provided for in paragraph 1 of that Article, and which operate within the sectors and provide the types of service or carry out the activities covered by this Directive fall within its scope. Member States should also provide for certain small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million; and microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;, as defined in Article 2(2) and (3) of that Annex, which fulfil specific criteria that indicate a key role for society, the economy or for particular sectors or types of service to fall within the scope of this Directive.

The exclusion of public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; from the scope of this Directive should apply to entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; whose activities are predominantly carried out in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences. However, public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; whose activities are only marginally related to those areas should not be excluded from the scope of this Directive. For the purposes of this Directive, entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; with regulatory competences are not considered to be carrying out activities in the area of law enforcement and are therefore not excluded on that ground from the scope of this Directive. Public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; that are jointly established with a third country in accordance with an international agreement are excluded from the scope of this Directive. This Directive does not apply to Member States’ diplomatic and consular missions in third countries or to their network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;, insofar as such systems are located in the premises of the mission or are operated for users in a third country.

Member States should be able to take the necessary measures to ensure the protection of the essential interests of national security, to safeguard public policy and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences. To that end, Member States should be able to exempt specific entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; which carry out activities in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences, from certain obligations laid down in this Directive with regard to those activities. Where an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; provides services exclusively to a public administration entity means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; that is excluded from the scope of this Directive, Member States should be able to exempt that entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; from certain obligations laid down in this Directive with regard to those services. Furthermore, no Member State should be required to supply information the disclosure of which would be contrary to the essential interests of its national security, public security or defence. Union or national rules for the protection of classified information, non-disclosure agreements, and informal non-disclosure agreements such as the traffic light protocol should be taken into account in that context. The traffic light protocol is to be understood as a means to provide information about any limitations with regard to the further spreading of information. It is used in almost all computer security incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; response teams (CSIRTscomputer security incident response teams) and in some information analysis and sharing centres.

Although this Directive applies to entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; carrying out activities in the production of electricity from nuclear power plants, some of those activities may be linked to national security. Where that is the case, a Member State should be able to exercise its responsibility for safeguarding national security with respect to those activities, including activities within the nuclear value chain, in accordance with the Treaties.

Some entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; carry out activities in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences, while also providing trust services means a trust service as defined in Article 3, point (16), of Regulation (EU) No 910/2014;. Trust service providers means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014; which fall within the scope of Regulation (EU) No 910/2014 of the European Parliament and of the Council(⁶)Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73). should fall within the scope of this Directive in order to secure the same level of security requirements and supervision as that which was previously laid down in that Regulation in respect of trust service providers means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014;. In line with the exclusion of certain specific services from Regulation (EU) No 910/2014, this Directive should not apply to the provision of trust services means a trust service as defined in Article 3, point (16), of Regulation (EU) No 910/2014; that are used exclusively within closed systems resulting from national law or from agreements between a defined set of participants.

Postal service providers as defined in Directive 97/67/EC of the European Parliament and of the Council(⁷)Directive 97/67/EC of the European Parliament and of the Council of 15 December 1997 on common rules for the development of the internal market of Community postal services and the improvement of quality of service (OJ L 15, 21.1.1998, p. 14)., including providers of courier services, should be subject to this Directive if they provide at least one of the steps in the postal delivery chain, in particular clearance, sorting, transport or distribution of postal items, including pick-up services, while taking account of the degree of their dependence on network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;. Transport services that are not undertaken in conjunction with one of those steps should be excluded from the scope of postal services.

Given the intensification and increased sophistication of cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, Member States should strive to ensure that entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that are excluded from the scope of this Directive achieve a high level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; and to support the implementation of equivalent cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures that reflect the sensitive nature of those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

Union data protection law and Union privacy law applies to any processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; under this Directive. In particular, this Directive is without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council(⁸)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). and Directive 2002/58/EC of the European Parliament and of the Council(⁹)Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).. This Directive should therefore not affect, inter alia, the tasks and powers of the authorities competent to monitor compliance with the applicable Union data protection law and Union privacy law.

Entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; falling within the scope of this Directive for the purpose of compliance with cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations should be classified into two categories, essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, reflecting the extent to which they are critical as regards their sector or the type of service they provide, as well as their size. In that regard, due account should be taken of any relevant sectoral risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments or guidance by the competent authoritiesas defined in Article 46, where applicable. The supervisory and enforcement regimes for those two categories of entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should be differentiated to ensure a fair balance between risk-based requirements and obligations on the one hand, and the administrative burden stemming from the supervision of compliance on the other.

In order to avoid entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that have partner enterprises or that are linked enterprises being considered to be essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 where this would be disproportionate, Member States are able to take into account the degree of independence an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; enjoys in relation to its partner or linked enterprises when applying Article 6(2) of the Annex to Recommendation 2003/361/EC. In particular, Member States are able to take into account the fact that an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is independent from its partner or linked enterprises in terms of the network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; that that entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; uses in the provision of its services and in terms of the services that the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; provides. On that basis, where appropriate, Member States are able to consider that such an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; does not qualify as a medium-sized enterprise means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; under Article 2 of the Annex to Recommendation 2003/361/EC, or does not exceed the ceilings for a medium-sized enterprise means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; provided for in paragraph 1 of that Article, if, after taking into account the degree of independence of that entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, that entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; would not have been considered to qualify as a medium-sized enterprise means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; or to exceed those ceilings in the event that only its own data had been taken into account. This leaves unaffected the obligations laid down in this Directive of partner and linked enterprises which fall within the scope of this Directive.

Member States should be able to decide that entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; identified before the entry into force of this Directive as operators of essential services in accordance with Directive (EU) 2016/1148 are to be considered to be essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

In order to ensure a clear overview of the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; falling within the scope of this Directive, Member States should establish a list of essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as well as entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller;. For that purpose, Member States should require entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to submit at least the following information to the competent authoritiesas defined in Article 46, namely, the name, address and up-to-date contact details, including the email addresses, IP ranges and telephone numbers of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, and, where applicable, the relevant sector and subsector referred to in the annexes, as well as, where applicable, a list of the Member States where they provide services falling within the scope of this Directive. To that end, the Commission, with the assistance of the European Union Agency for Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; (ENISA), should, without undue delay, provide guidelines and templates regarding the obligation to submit information. To facilitate the establishing and updating of the list of essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as well as entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller;, Member States should be able to establish national mechanisms for entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to register themselves. Where registers exist at national level, Member States can decide on the appropriate mechanisms that allow for the identification of entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; falling within the scope of this Directive.

Member States should be responsible for submitting to the Commission at least the number of essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; for each sector and subsector referred to in the annexes, as well as relevant information about the number of identified entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and the provision, from among those laid down in this Directive, on the basis of which they were identified, and the type of service that they provide. Member States are encouraged to exchange with the Commission information about essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and, in the case of a large-scale cybersecurity incident means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States;, relevant information such as the name of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned.

The Commission should, in cooperation with the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and after consulting the relevant stakeholders, provide guidelines on the implementation of the criteria applicable to microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million; for the assessment of whether they fall within the scope of this Directive. The Commission should also ensure that appropriate guidance is given to microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million; falling within the scope of this Directive. The Commission should, with the assistance of the Member States, make information available to microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million; in that regard.

The Commission could provide guidance to assist Member States in implementing the provisions of this Directive on scope and evaluating the proportionality of the measures to be taken pursuant to this Directive, in particular as regards entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; with complex business models or operating environments, whereby an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; may simultaneously fulfil the criteria assigned to both essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or may simultaneously carry out activities, some of which fall within and some of which are excluded from the scope of this Directive.

This Directive sets out the baseline for cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations across the sectors that fall within its scope. In order to avoid the fragmentation of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; provisions of Union legal acts, where further sector-specific Union legal acts pertaining to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations are considered to be necessary to ensure a high level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; across the Union, the Commission should assess whether such further provisions could be stipulated in an implementing act under this Directive. Should such an implementing act not be suitable for that purpose, sector-specific Union legal acts could contribute to ensuring a high level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; across the Union, while taking full account of the specificities and complexities of the sectors concerned. To that end, this Directive does not preclude the adoption of further sector-specific Union legal acts addressing cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations that take due account of the need for a comprehensive and consistent cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; framework. This Directive is without prejudice to the existing implementing powers that have been conferred on the Commission in a number of sectors, including transport and energy.

Where a sector-specific Union legal act contains provisions requiring essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 to adopt cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures or to notify significant incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, those provisions, including on supervision and enforcement, should apply to such entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. If a sector-specific Union legal act does not cover all entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; in a specific sector falling within the scope of this Directive, the relevant provisions of this Directive should continue to apply to the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; not covered by that act.

Where provisions of a sector-specific Union legal act require essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 to comply with reporting obligations that are at least equivalent in effect to the reporting obligations laid down in this Directive, the consistency and effectiveness of the handling of incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notifications should be ensured. To that end, the provisions relating to incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notifications of the sector-specific Union legal act should provide the CSIRTscomputer security incident response teams, the competent authoritiesas defined in Article 46 or the single points of contact on cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; (single points of contact) under this Directive with an immediate access to the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notifications submitted in accordance with the sector-specific Union legal act. In particular, such immediate access can be ensured if incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notifications are being forwarded without undue delay to the CSIRT, the competent authorityas defined in Article 46 or the single point of contact under this Directive. Where appropriate, Member States should put in place an automatic and direct reporting mechanism that ensures systematic and immediate sharing of information with the CSIRTscomputer security incident response teams, the competent authoritiesas defined in Article 46 or the single points of contact concerning the handling of such incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notifications. For the purpose of simplifying reporting and of implementing the automatic and direct reporting mechanism, Member States could, in accordance with the sector-specific Union legal act, use a single entry point.

Sector-specific Union legal acts which provide for cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures or reporting obligations that are at least equivalent in effect to those laid down in this Directive could provide that the competent authoritiesas defined in Article 46 under such acts exercise their supervisory and enforcement powers in relation to such measures or obligations with the assistance of the competent authoritiesas defined in Article 46 under this Directive. The competent authoritiesas defined in Article 46 concerned could establish cooperation arrangements for that purpose. Such cooperation arrangements could specify, inter alia, the procedures concerning the coordination of supervisory activities, including the procedures of investigations and on-site inspections in accordance with national law, and a mechanism for the exchange of relevant information on supervision and enforcement between the competent authoritiesas defined in Article 46, including access to cyber-related information requested by the competent authoritiesas defined in Article 46 under this Directive.

Where sector-specific Union legal acts require or provide incentives to entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to notify significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage;, Member States should also encourage the sharing of significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; with the CSIRTscomputer security incident response teams, the competent authoritiesas defined in Article 46 or the single points of contact under this Directive, in order to ensure an enhanced level of those bodies’ awareness of the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; landscape and to enable them to respond effectively and in a timely manner should the significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; materialise.

Future sector-specific Union legal acts should take due account of the definitions and the supervisory and enforcement framework laid down in this Directive.

Regulation (EU) 2022/2554 of the European Parliament and of the Council(¹⁰)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (see page 1 of this Official Journal). should be considered to be a sector-specific Union legal act in relation to this Directive with regard to financial entitiesas defined in Article 2, points (a) to (t). The provisions of Regulation (EU) 2022/2554 relating to information and communication technology (ICT) risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management, management of ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and, in particular, major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; reporting, as well as on digital operational resilience testingas defined in Article 24, information-sharing arrangements and ICT third-party risk means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements; should apply instead of those provided for in this Directive. Member States should therefore not apply the provisions of this Directive on cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management and reporting obligations, and supervision and enforcement, to financial entitiesas defined in Article 2, points (a) to (t) covered by Regulation (EU) 2022/2554. At the same time, it is important to maintain a strong relationship and the exchange of information with the financial sector under this Directive. To that end, Regulation (EU) 2022/2554 allows the European Supervisory Authorities (ESAsEuropean Supervisory Authority) and the competent authoritiesas defined in Article 46 under that Regulation to participate in the activities of the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and to exchange information and cooperate with the single points of contact, as well as with the CSIRTscomputer security incident response teams and the competent authoritiesas defined in Article 46 under this Directive. The competent authoritiesas defined in Article 46 under Regulation (EU) 2022/2554 should also transmit details of major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and, where relevant, significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; to the CSIRTscomputer security incident response teams, the competent authoritiesas defined in Article 46 or the single points of contact under this Directive. This is achievable by providing immediate access to incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notifications and forwarding them either directly or through a single entry point. Moreover, Member States should continue to include the financial sector in their cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategies and CSIRTscomputer security incident response teams can cover the financial sector in their activities.

In order to avoid gaps between or duplications of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; obligations imposed on entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; in the aviation sector, national authorities under Regulations (EC) No 300/2008(¹¹)Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72). and (EU) 2018/1139(¹²)Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1). of the European Parliament and of the Council and the competent authoritiesas defined in Article 46 under this Directive should cooperate in relation to the implementation of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and the supervision of compliance with those measures at national level. The compliance of an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; with the security requirements laid down in Regulations (EC) No 300/2008 and (EU) 2018/1139 and in the relevant delegated and implementing acts adopted pursuant to those Regulations could be considered by the competent authoritiesas defined in Article 46 under this Directive to constitute compliance with the corresponding requirements laid down in this Directive.

In view of the interlinkages between cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; and the physical security of entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, a coherent approach should be ensured between Directive (EU) 2022/2557 of the European Parliament and of the Council(¹³)Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (see page 164 of this Official Journal). and this Directive. To achieve this, entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; identified as critical entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; under Directive (EU) 2022/2557 should be considered to be essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; under this Directive. Moreover, each Member State should ensure that its national cybersecurity strategy means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;provides for a policy framework for enhanced coordination within that Member State between its competent authoritiesas defined in Article 46 under this Directive and those under Directive (EU) 2022/2557 in the context of information sharing about risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, and incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; as well as on non-cyber risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, threats and incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, and the exercise of supervisory tasks. The competent authoritiesas defined in Article 46 under this Directive and those under Directive (EU) 2022/2557 should cooperate and exchange information without undue delay, in particular in relation to the identification of critical entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, and incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; as well as in relation to non-cyber risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, threats and incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; affecting critical entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, including the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; and physical measures taken by critical entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as well as the results of supervisory activities carried out with regard to such entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

Entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; belonging to the digital infrastructure sector are in essence based on network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; and therefore the obligations imposed on those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; pursuant to this Directive should address in a comprehensive manner the physical security of such systems as part of their cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations. Since those matters are covered by this Directive, the obligations laid down in Chapters III, IV and VI of Directive (EU) 2022/2557 do not apply to such entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

Upholding and preserving a reliable, resilient and secure domain name system or ‘DNS’ means a hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources; (DNS) are key factors in maintaining the integrity of the internet and are essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to top-level-domain (TLD) name registries, and DNS service providers means an entity that provides: publicly available recursive domain name resolution services for internet end-users; or authoritative domain name resolution services for third-party use, with the exception of root name servers; that are to be understood as entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; providing publicly available recursive domain name resolution services for internet end-users or authoritative domain name resolution services for third-party usage. This Directive should not apply to root name servers.

Cloud computing services means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; should cover digital services means a service as defined in Article 1(1), point (b), of Directive (EU) 2015/1535 of the European Parliament and of the Council (^30^); Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1). that enable on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations. Computing resources include resources such as networks, servers or other infrastructure, operating systems, software means the part of an electronic information system which consists of computer code;, storage, applications and services. The service models of cloud computing include, inter alia, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software means the part of an electronic information system which consists of computer code; as a Service (SaaS) and Network as a Service (NaaS). The deployment models of cloud computing should include private, community, public and hybrid cloud. The cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; and deployment models have the same meaning as the terms of service and deployment models defined under ISO/IEC 17788:2014 standard means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).. The capability of the cloud computing user to unilaterally self-provision computing capabilities, such as server time or network storage, without any human interaction by the cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; provider could be described as on-demand administration.

Given the emergence of innovative technologies and new business models, new cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; and deployment models are expected to appear in the internal market in response to evolving customer needs. In that context, cloud computing services means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; may be delivered in a highly distributed form, even closer to where data are being generated or collected, thus moving from the traditional model to a highly distributed one (edge computing).

Services offered by data centre service means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; providers may not always be provided in the form of a cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations;. Accordingly, data centres may not always constitute a part of cloud computing infrastructure. In order to manage all the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed to the security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems;, this Directive should therefore cover providers of data centre services means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; that are not cloud computing services means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations;. For the purposes of this Directive, the term ‘data centre service means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control;’ should cover provision of a service that encompasses structures, or groups means a group as defined in Article 2, point (11), of Directive 2013/34/EU; of structures, dedicated to the centralised accommodation, interconnection and operation of information technology (IT) and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control. The term ‘data centre service means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control;’ should not apply to in-house corporate data centres owned and operated by the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned, for its own purposes.

Research activities play a key role in the development of new products and processes. Many of those activities are carried out by entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that share, disseminate or exploit the results of their research for commercial purposes. Those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; can therefore be important players in value chains, which makes the security of their network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; an integral part of the overall cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of the internal market. Research organisations means an entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions. should be understood to include entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; which focus the essential part of their activities on the conduct of applied research or experimental development, within the meaning of the Organisation for Economic Cooperation and Development’s Frascati Manual 2015: Guidelines for Collecting and Reporting Data on Research and Experimental Development, with a view to exploiting their results for commercial purposes, such as the manufacturing or development of a product or process, the provision of a service, or the marketing thereof.

The growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in sectors such as energy, transport, digital infrastructure, drinking water and waste water, health, certain aspects of public administration, as well as space in so far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programme. Those interdependencies mean that any disruption, even one initially confined to one entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The intensified cyberattacks during the COVID-19 pandemic have shown the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; of increasingly interdependent societies in the face of low-probability risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;.

In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, Member States should be able to designate or establish one or more competent authoritiesas defined in Article 46 responsible for cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; and for the supervisory tasks under this Directive.

In order to facilitate cross-border cooperation and communication among authorities and to enable this Directive to be implemented effectively, it is necessary for each Member State to designate a single point of contact responsible for coordinating issues related to the security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; and cross-border cooperation at Union level.

The single points of contact should ensure effective cross-border cooperation with relevant authorities of other Member States and, where appropriate, with the Commission and ENISA. The single points of contact should therefore be tasked with forwarding notifications of significant incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; with cross-border impact to the single points of contact of other affected Member States upon the request of the CSIRT or the competent authorityas defined in Article 46. At national level, the single points of contact should enable smooth cross-sectoral cooperation with other competent authoritiesas defined in Article 46. The single points of contact could also be the addressees of relevant information about incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; concerning financial entitiesas defined in Article 2, points (a) to (t) from the competent authoritiesas defined in Article 46 under Regulation (EU) 2022/2554 which they should be able to forward, as appropriate, to the CSIRTscomputer security incident response teams or the competent authoritiesas defined in Article 46 under this Directive.

Member States should be adequately equipped, in terms of both technical and organisational capabilities, to prevent, detect, respond to and mitigate incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Member States should therefore establish or designate one or more CSIRTscomputer security incident response teams under this Directive and ensure that they have adequate resources and technical capabilities. The CSIRTscomputer security incident response teams should comply with the requirements laid down in this Directive in order to guarantee effective and compatible capabilities to deal with incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and to ensure efficient cooperation at Union level. Member States should be able to designate existing computer emergency response teams (CERTs) as CSIRTscomputer security incident response teams. In order to enhance the trust relationship between the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and the CSIRTscomputer security incident response teams, where a CSIRT is part of a competent authorityas defined in Article 46, Member States should be able to consider functional separation between the operational tasks provided by the CSIRTscomputer security incident response teams, in particular in relation to information sharing and assistance provided to the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, and the supervisory activities of the competent authoritiesas defined in Article 46.

The CSIRTscomputer security incident response teams are tasked with incident handling means any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident;. This includes the processing of large volumes of sometimes sensitive data. Member States should ensure that the CSIRTscomputer security incident response teams have an infrastructure for information sharing and processing, as well as well-equipped staff, which ensures the confidentiality and trustworthiness of their operations. The CSIRTscomputer security incident response teams could also adopt codes of conduct in that respect.

As regards personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, the CSIRTscomputer security incident response teams should be able to provide, in accordance with Regulation (EU) 2016/679, upon the request of an essential or important entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, a proactive scanning of the network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; used for the provision of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s services. Where applicable, Member States should aim to ensure an equal level of technical capabilities for all sectoral CSIRTscomputer security incident response teams. Member States should be able to request the assistance of ENISA in developing their CSIRTscomputer security incident response teams.

The CSIRTscomputer security incident response teams should have the ability, upon an essential or important entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s request, to monitor the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s internet-facing assets, both on and off premises, in order to identify, understand and manage the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s overall organisational risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; as regards newly identified supply chain compromises or critical vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;. The entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should be encouraged to communicate to the CSIRT whether it runs a privileged management interface, as this could affect the speed of undertaking mitigating actions.

Given the importance of international cooperation on cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;, the CSIRTscomputer security incident response teams should be able to participate in international cooperation networks in addition to the CSIRTscomputer security incident response teams network established by this Directive. Therefore, for the purpose of carrying out their tasks, the CSIRTscomputer security incident response teams and the competent authoritiesas defined in Article 46 should be able to exchange information, including personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, with the national computer security incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; response teams or competent authoritiesas defined in Article 46 of third countries provided that the conditions under Union data protection law for transfers of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; to third countries, inter alia those of Article 49 of Regulation (EU) 2016/679, are met.

Ensuring adequate resources to meet the objectives of this Directive and to enable the competent authoritiesas defined in Article 46 and the CSIRTscomputer security incident response teams to carry out the tasks laid down herein is essential. The Member States can introduce at the national level a financing mechanism to cover necessary expenditure in relation to the conduct of tasks of public entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; responsible for cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; in the Member State pursuant to this Directive. Such mechanism should comply with Union law and should be proportionate and non-discriminatory and should take into account different approaches to providing secure services.

The CSIRTscomputer security incident response teams network should continue to contribute to strengthening confidence and trust and to promote swift and effective operational cooperation among Member States. In order to enhance operational cooperation at Union level, the CSIRTscomputer security incident response teams network should consider inviting Union bodies and agencies involved in cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policy, such as Europol, to participate in its work.

For the purpose of achieving and maintaining a high level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;, the national cybersecurity strategies means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;required under this Directive should consist of coherent frameworks providing strategic objectives and priorities in the area of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; and the governance to achieve them. Those strategies can be composed of one or more legislative or non-legislative instruments.

Cyber hygiene policies provide the foundations for protecting network and information system means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; infrastructures, hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;, software means the part of an electronic information system which consists of computer code; and online application security, and business or end-user data upon which entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; rely. Cyber hygiene policies comprising a common baseline set of practices, including software means the part of an electronic information system which consists of computer code; and hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; updates, password changes, the management of new installs, the limitation of administrator-level access accounts, and the backing-up of data, enable a proactive framework of preparedness and overall safety and security in the event of incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; or cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;. ENISA should monitor and analyse Member States’ cyber hygiene policies.

Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; awareness and cyber hygiene are essential to enhance the level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; within the Union, in particular in light of the growing number of connected devices that are increasingly used in cyberattacks. Efforts should be made to enhance the overall awareness of risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; related to such devices, while assessments at Union level could help ensure a common understanding of such risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; within the internal market.

Member States should encourage the use of any innovative technology, including artificial intelligence, the use of which could improve the detection and prevention of cyberattacks, enabling resources to be diverted towards cyberattacks more effectively. Member States should therefore encourage in their national cybersecurity strategy means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;activities in research and development to facilitate the use of such technologies, in particular those relating to automated or semi-automated tools in cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;, and, where relevant, the sharing of data needed for training users of such technology and for improving it. The use of any innovative technology, including artificial intelligence, should comply with Union data protection law, including the data protection principles of data accuracy, data minimisation, fairness and transparency, and data security, such as state-of-the-art encryption. The requirements of data protection by design and by default laid down in Regulation (EU) 2016/679 should be fully exploited.

Open-source cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; tools and applications can contribute to a higher degree of openness and can have a positive impact on the efficiency of industrial innovation. Open standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). facilitate interoperability between security tools, benefitting the security of industrial stakeholders. Open-source cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; tools and applications can leverage the wider developer community, enabling diversification of suppliers. Open source can lead to a more transparent verification process of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; related tools and a community-driven process of discovering vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;. Member States should therefore be able to promote the use of open-source software means the part of an electronic information system which consists of computer code; and open standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). by pursuing policies relating to the use of open data and open-source as part of security through transparency. Policies promoting the introduction and sustainable use of open-source cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; tools are of particular importance for small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; facing significant costs for implementation, which could be minimised by reducing the need for specific applications or tools.

Utilities are increasingly connected to digital networks in cities, for the purpose of improving urban transport networks, upgrading water supply and waste disposal facilities and increasing the efficiency of lighting and the heating of buildings. Those digitalised utilities are vulnerable to cyberattacks and run the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, in the event of a successful cyberattack, of harming citizens at a large scale due to their interconnectedness. Member States should develop a policy that addresses the development of such connected or smart cities, and their potential effects on society, as part of their national cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategy.

In recent years, the Union has faced an exponential increase in ransomware attacks, in which malware encrypts data and systems and demands a ransom payment for release. The increasing frequency and severity of ransomware attacks can be driven by several factors, such as different attack patterns, criminal business models around ‘ransomware as a service’ and cryptocurrencies, ransom demands, and the rise of supply chain attacks. Member States should develop a policy addressing the rise of ransomware attacks as part of their national cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategy.

Public-private partnerships (PPPs) in the field of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; can provide an appropriate framework for knowledge exchange, the sharing of best practices and the establishment of a common level of understanding among stakeholders. Member States should promote policies underpinning the establishment of cybersecurity-specific PPPs. Those policies should clarify, inter alia, the scope and stakeholders involved, the governance model, the available funding options and the interaction among participating stakeholders with regard to PPPs. PPPs can leverage the expertise of private-sector entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to assist the competent authoritiesas defined in Article 46 in developing state-of-the-art services and processes including information exchange, early warnings, cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; exercises, crisis management and resilience planning.

Member States should, in their national cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategies, address the specific cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; needs of small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;. Small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; represent, across the Union, a large percentage of the industrial and business market and often struggle to adapt to new business practices in a more connected world and to the digital environment, with employees working from home and business increasingly being conducted online. Some small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; face specific cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; challenges such as low cyber-awareness, a lack of remote IT security, the high cost of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; solutions and an increased level of threat, such as ransomware, for which they should receive guidance and assistance. Small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; are increasingly becoming the target of supply chain attacks due to their less rigorous cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and attack management, and the fact that they have limited security resources. Such supply chain attacks not only have an impact on small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; and their operations in isolation but can also have a cascading effect on larger attacks on entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to which they provided supplies. Member States should, through their national cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategies, help small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; to address the challenges faced in their supply chains. Member States should have a point of contact for small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; at national or regional level, which either provides guidance and assistance to small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; or directs them to the appropriate bodies for guidance and assistance with regard to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; related issues. Member States are also encouraged to offer services such as website configuration and logging enabling to microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million; that lack those capabilities.

As part of their national cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategies, Member States should adopt policies on the promotion of active cyber protection as part of a wider defensive strategy. Rather than responding reactively, active cyber protection is the prevention, detection, monitoring, analysis and mitigation of network security breaches in an active manner, combined with the use of capabilities deployed within and outside the victim network. This could include Member States offering free services or tools to certain entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, including self-service checks, detection tools and takedown services. The ability to rapidly and automatically share and understand threat information and analysis, cyber activity alerts, and response action is critical to enable a unity of effort in successfully preventing, detecting, addressing and blocking attacks against network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;. Active cyber protection is based on a defensive strategy that excludes offensive measures.

Since the exploitation of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; in network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; may cause significant disruption and harm, swiftly identifying and remedying such vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; is an important factor in reducing risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that develop or administer network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; should therefore establish appropriate procedures to handle vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; when they are discovered. Since vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; are often discovered and disclosed by third parties, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; or provider of ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; or ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; should also put in place the necessary procedures to receive vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; information from third parties. In that regard, international standards means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012; ISO/IEC 30111 and ISO/IEC 29147 provide guidance on vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling and vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure. Strengthening the coordination between reporting natural and legal persons and manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; or providers of ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; or ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; is particularly important for the purpose of facilitating the voluntary framework of vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure. Coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure specifies a structured process through which vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; are reported to the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; or provider of the potentially vulnerable ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; or ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; in a manner allowing it to diagnose and remedy the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; before detailed vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; information is disclosed to third parties or to the public. Coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure should also include coordination between the reporting natural or legal person and the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; or provider of the potentially vulnerable ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; or ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; as regards the timing of remediation and publication of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;.

The Commission, ENISA and the Member States should continue to foster alignments with international standards means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012; and existing industry best practices in the area of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management, for example in the areas of supply chain security assessments, information sharing and vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure.

Member States, in cooperation with ENISA, should take measures to facilitate coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure by establishing a relevant national policy. As part of their national policy, Member States should aim to address, to the extent possible, the challenges faced by vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; researchers, including their potential exposure to criminal liability, in accordance with national law. Given that natural and legal persons researching vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; could in some Member States be exposed to criminal and civil liability, Member States are encouraged to adopt guidelines as regards the non-prosecution of information security researchers and an exemption from civil liability for their activities.

Member States should designate one of its CSIRTscomputer security incident response teams as a coordinator, acting as a trusted intermediary between the reporting natural or legal persons and the manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; or providers of ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; or ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, which are likely to be affected by the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, where necessary. The tasks of the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. should include identifying and contacting the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned, assisting the natural or legal persons reporting a vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, negotiating disclosure timelines and managing vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; that affect multiple entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; (multi-party coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure). Where the reported vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; could have significant impact on entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; in more than one Member State, the CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. should cooperate within the CSIRTscomputer security incident response teams network, where appropriate.

Access to correct and timely information about vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; affecting ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; and ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; contributes to an enhanced cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management. Sources of publicly available information about vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; are an important tool for the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and for the users of their services, but also for the competent authoritiesas defined in Article 46 and the CSIRTscomputer security incident response teams. For that reason, ENISA should establish a European vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; database where entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, regardless of whether they fall within the scope of this Directive, and their suppliers of network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;, as well as the competent authoritiesas defined in Article 46 and the CSIRTscomputer security incident response teams, can disclose and register, on a voluntary basis, publicly known vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; for the purpose of allowing users to take appropriate mitigating measures. The aim of that database is to address the unique challenges posed by risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to Union entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Furthermore, ENISA should establish an appropriate procedure regarding the publication process in order to give entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; the time to take mitigating measures as regards their vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and employ state-of-the-art cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures as well as machine-readable datasets and corresponding interfaces. To encourage a culture of disclosure of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, disclosure should have no detrimental effects on the reporting natural or legal person.

Although similar vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; registries or databases exist, they are hosted and maintained by entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; which are not established in the Union. A European vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; database maintained by ENISA would provide improved transparency regarding the publication process before the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; is publicly disclosed, and resilience in the event of a disruption or an interruption of the provision of similar services. In order, to the extent possible, to avoid a duplication of efforts and to seek complementarity, ENISA should explore the possibility of entering into structured cooperation agreements with similar registries or databases that fall under third-country jurisdiction. In particular, ENISA should explore the possibility of close cooperation with the operators of the Common Vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and Exposures (CVE) system.

The Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; should support and facilitate strategic cooperation and the exchange of information, as well as strengthen trust and confidence among Member States. The Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; should establish a work programme every two years. The work programme should include the actions to be undertaken by the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; to implement its objectives and tasks. The timeframe for the establishment of the first work programme under this Directive should be aligned with the timeframe of the last work programme established under Directive (EU) 2016/1148 in order to avoid potential disruptions in the work of the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;.

When developing guidance documents, the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; should consistently map national solutions and experiences, assess the impact of Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; deliverables on national approaches, discuss implementation challenges and formulate specific recommendations, in particular as regards facilitating an alignment of the transposition of this Directive among Member States, to be addressed through a better implementation of existing rules. The Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; could also map the national solutions in order to promote compatibility of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; solutions applied to each specific sector across the Union. This is particularly relevant to sectors that have an international or cross-border nature.

The Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It could organise regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and gather data and input on emerging policy challenges. Additionally, the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; should carry out a regular assessment of the state of play of cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; or incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, such as ransomware. In order to enhance cooperation at Union level, the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; should consider inviting relevant Union institutions, bodies, offices and agencies involved in cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policy, such as the European Parliament, Europol, the European Data Protection Board, the European Union Aviation Safety Agency, established by Regulation (EU) 2018/1139, and the European Union Agency for Space Programme, established by Regulation (EU) 2021/696 of the European Parliament and the Council(¹⁴)Regulation (EU) 2021/696 of the European Parliament and of the Council of 28 April 2021 establishing the Union Space Programme and the European Union Agency for the Space Programme and repealing Regulations (EU) No 912/2010, (EU) No 1285/2013 and (EU) No 377/2014 and Decision No 541/2014/EU (OJ L 170, 12.5.2021, p. 69)., to participate in its work.

The competent authoritiesas defined in Article 46 and the CSIRTscomputer security incident response teams should be able to participate in exchange schemes for officials from other Member States, within a specific framework and, where applicable, subject to the required security clearance of officials participating in such exchange schemes, in order to improve cooperation and strengthen trust among Member States. The competent authoritiesas defined in Article 46 should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authorityas defined in Article 46 or the host CSIRT.

Member States should contribute to the establishment of the EU Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; Crisis Response Framework as set out in Commission Recommendation (EU) 2017/1584(¹⁵)Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36). through the existing cooperation networks, in particular the European cyber crisis liaison organisation network (EU-CyCLONe), the CSIRTscomputer security incident response teams network and the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;. EU-CyCLONe and the CSIRTscomputer security incident response teams network should cooperate on the basis of procedural arrangements that specify the details of that cooperation and avoid any duplication of tasks. EU-CyCLONe’s rules of procedure should further specify the arrangements through which that network should function, including the network’s roles, means of cooperation, interactions with other relevant actors and templates for information sharing, as well as means of communication. For crisis management at Union level, relevant parties should rely on the EU Integrated Political Crisis Response arrangements under Council Implementing Decision (EU) 2018/1993(¹⁶)Council Implementing Decision (EU) 2018/1993 of 11 December 2018 on the EU Integrated Political Crisis Response Arrangements (OJ L 320, 17.12.2018, p. 28). (IPCR arrangements). The Commission should use the ARGUS high-level cross-sectoral crisis coordination process for that purpose. If the crisis entails an important external or Common Security and Defence Policy dimension, the European External Action Service Crisis Response Mechanism should be activated.

In accordance with the Annex to Recommendation (EU) 2017/1584, a large-scale cybersecurity incident means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States; should mean an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States. Depending on their cause and impact, large-scale cybersecurity incidents means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States; may escalate and turn into fully-fledged crises not allowing the proper functioning of the internal market or posing serious public security and safety risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; for entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or citizens in several Member States or the Union as a whole. Given the wide-ranging scope and, in most cases, the cross-border nature of such incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, Member States and the relevant Union institutions, bodies, offices and agencies should cooperate at technical, operational and political level to properly coordinate the response across the Union.

Large-scale cybersecurity incidents means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States; and crises at Union level require coordinated action to ensure a rapid and effective response because of the high degree of interdependence between sectors and Member States. The availability of cyber-resilient network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; and the availability, confidentiality and integrity of data are vital for the security of the Union and for the protection of its citizens, businesses and institutions against incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, as well as for enhancing the trust of individuals and organisations in the Union’s ability to promote and protect a global, open, free, stable and secure cyberspace grounded in human rights, fundamental freedoms, democracy and the rule of law.

EU-CyCLONe should work as an intermediary between the technical and political level during large-scale cybersecurity incidents means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States; and crises and should enhance cooperation at operational level and support decision-making at political level. In cooperation with the Commission, having regard to the Commission’s competence in the area of crisis management, EU-CyCLONe should build on the CSIRTscomputer security incident response teams network findings and use its own capabilities to create impact analysis of large-scale cybersecurity incidents means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States; and crises.

Cyberattacks are of a cross-border nature, and a significant incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; can disrupt and damage critical information infrastructures on which the smooth functioning of the internal market depends. Recommendation (EU) 2017/1584 addresses the role of all relevant actors. Furthermore, the Commission is responsible, within the framework of the Union Civil Protection Mechanism, established by Decision No 1313/2013/EU of the European Parliament and of the Council(¹⁷)Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, p. 924)., for general preparedness actions including managing the Emergency Response Coordination Centre and the Common Emergency Communication and Information System, maintaining and further developing situational awareness and analysis capability, and establishing and managing the capability to mobilise and dispatch expert teams in the event of a request for assistance from a Member State or third country. The Commission is also responsible for providing analytical reports for the IPCR arrangements under Implementing Decision (EU) 2018/1993, including in relation to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; situational awareness and preparedness, as well as for situational awareness and crisis response in the areas of agriculture, adverse weather conditions, conflict mapping and forecasts, early warning systems for natural disasters, health emergencies, infection disease surveillance, plant health, chemical incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, food and feed safety, animal health, migration, customs, nuclear and radiological emergencies, and energy.

The Union can, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in particular activities of the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, the CSIRTscomputer security incident response teams network and EU-CyCLONe. Such agreements should ensure the Union’s interests and the adequate protection of data. This should not preclude the right of Member States to cooperate with third countries on management of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management, facilitating reporting and general information sharing in accordance with Union law.

In order to facilitate the effective implementation of this Directive with regard, inter alia, to the management of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures, reporting obligations and cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information-sharing arrangements, Member States can cooperate with third countries and undertake activities that are considered to be appropriate for that purpose, including information exchange on cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, tools and methods, tactics, techniques and procedures, cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; crisis management preparedness and exercises, training, trust building and structured information-sharing arrangements.

Peer reviews should be introduced to help learn from shared experiences, strengthen mutual trust and achieve a high common level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;. Peer reviews can lead to valuable insights and recommendations strengthening the overall cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; capabilities, creating another functional path for the sharing of best practices across Member States and contributing to enhance the Member States’ levels of maturity in cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;. Furthermore, peer reviews should take account of the results of similar mechanisms, such as the peer-review system of the CSIRTscomputer security incident response teams network, and should add value and avoid duplication. The implementation of peer reviews should be without prejudice to Union or national law on the protection of confidential or classified information.

The Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; should establish a self-assessment methodology for Member States, aiming to cover factors such as the level of implementation of the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations, the level of capabilities and the effectiveness of the exercise of the tasks of the competent authoritiesas defined in Article 46, the operational capabilities of the CSIRTscomputer security incident response teams, the level of implementation of mutual assistance, the level of implementation of the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information-sharing arrangements, or specific issues of cross-border or cross-sector nature. Member States should be encouraged to carry out self-assessments on a regular basis, and to present and discuss the results of their self-assessment within the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;.

Responsibility for ensuring the security of network and information system means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; lies, to a great extent, with essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. A culture of risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management, involving risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments and the implementation of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures appropriate to the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; faced, should be promoted and developed.

Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should take into account the degree of dependence of the essential or important entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; on network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; and include measures to identify any risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, to prevent, detect, respond to and recover from incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and to mitigate their impact. The security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; should include the security of stored, transmitted and processed data. Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should provide for systemic analysis, taking into account the human factor, in order to have a complete picture of the security of the network and information system means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;.

As threats to the security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; can have different origins, cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should be based on an all-hazards approach, which aims to protect network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; and the physical environment of those systems from events such as theft, fire, flood, telecommunication or power failures, or unauthorised physical access and damage to, and interference with, an essential or important entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s information and information processing facilities, which could compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;. The cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should therefore also address the physical and environmental security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; by including measures to protect such systems from system failures, human error, malicious acts or natural phenomena, in line with European and international standards means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;, such as those included in the ISO/IEC 27000 series. In that regard, essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should, as part of their cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures, also address human resources security and have in place appropriate access control policies. Those measures should be consistent with Directive (EU) 2022/2557.

For the purpose of demonstrating compliance with cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and in the absence of appropriate European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes adopted in accordance with Regulation (EU) 2019/881 of the European Parliament and of the Council(¹⁸)Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15)., Member States should, in consultation with the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and the European Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; Certification Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, promote the use of relevant European and international standards means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012; by essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or may require entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to use certified ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;, ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; and ICT processes.

In order to avoid imposing a disproportionate financial and administrative burden on essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should be proportionate to the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed to the network and information system means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; concerned, taking into account the state-of-the-art of such measures, and, where applicable, relevant European and international standards means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;, as well as the cost for their implementation.

Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should be proportionate to the degree of the essential or important entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s exposure to risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and to the societal and economic impact that an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; would have. When establishing cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures adapted to essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, due account should be taken of the divergent risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; exposure of essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, such as the criticality of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, including societal risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, to which it is exposed, the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s size and the likelihood of occurrence of incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and their severity, including their societal and economic impact.

Essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should ensure the security of the network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; which they use in their activities. Those systems are primarily private network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; managed by the essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ internal IT staff or the security of which has been outsourced. The cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations laid down in this Directive should apply to the relevant essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; regardless of whether those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; maintain their network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; internally or outsource the maintenance thereof.

Taking account of their cross-border nature, DNS service providers means an entity that provides: publicly available recursive domain name resolution services for internet end-users; or authoritative domain name resolution services for third-party use, with the exception of root name servers;, TLD name registries, cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers, data centre service means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; providers, content delivery network means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; providers, managed service providers means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;, managed security service providers means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;, providers of online marketplaces means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (^31^); Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive) (OJ L 149, 11.6.2005, p. 22)., of online search engines means an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council (^32^); Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). and of social networking services platforms means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations;, and trust service providers means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014; should be subject to a high degree of harmonisation at Union level. The implementation of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures with regard to those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should therefore be facilitated by an implementing act.

Addressing risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s supply chain and its relationship with its suppliers, such as providers of data storage and processing services or managed security service providers means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management; and software means the part of an electronic information system which consists of computer code; editors, is particularly important given the prevalence of incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; where entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; have been the victim of cyberattacks and where malicious perpetrators were able to compromise the security of an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; by exploiting vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; affecting third-party products and services. Essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should therefore assess and take into account the overall quality and resilience of products and services, the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures embedded in them, and the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; practices of their suppliers and service providers, including their secure development procedures. Essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should in particular be encouraged to incorporate cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures into contractual arrangements with their direct suppliers and service providers. Those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; could consider risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from other levels of suppliers and service providers.

Among service providers, managed security service providers means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management; in areas such as incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; response, penetration testing, security audits and consultancy play a particularly important role in assisting entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; in their efforts to prevent, detect, respond to or recover from incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;. Managed security service providers means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management; have however also themselves been the target of cyberattacks and, because of their close integration in the operations of entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; pose a particular risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should therefore exercise increased diligence in selecting a managed security service provider means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;.

The competent authoritiesas defined in Article 46, in the context of their supervisory tasks, may also benefit from cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; services such as security audits, penetration testing or incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; responses.

Essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should also address risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from their interactions and relationships with other stakeholders within a broader ecosystem, including with regard to countering industrial espionage and protecting trade secrets. In particular, those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should take appropriate measures to ensure that their cooperation with academic and research institutions takes place in line with their cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policies and follows good practices as regards secure access and dissemination of information in general and the protection of intellectual property in particular. Similarly, given the importance and value of data for the activities of essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, when relying on data transformation and data analytics services from third parties, those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should take all appropriate cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures.

Essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should adopt a wide range of basic cyber hygiene practices, such as zero-trust principles, software means the part of an electronic information system which consists of computer code; updates, device configuration, network segmentation, identity and access management or user awareness, organise training for their staff and raise awareness concerning cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, phishing or social engineering techniques. Furthermore, those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should evaluate their own cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; capabilities and, where appropriate, pursue the integration of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; enhancing technologies, such as artificial intelligence or machine-learning systems to enhance their capabilities and the security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems;.

To further address key supply chain risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and assist essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; operating in sectors covered by this Directive to appropriately manage supply chain and supplier related risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, in cooperation with the Commission and ENISA, and where appropriate after consulting relevant stakeholders including from the industry, should carry out coordinated security risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments of critical supply chains, as carried out for 5G networks following Commission Recommendation (EU) 2019/534(¹⁹)Commission Recommendation (EU) 2019/534 of 26 March 2019 – Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42)., with the aim of identifying, per sector, the critical ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, ICT systems or ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;, relevant threats and vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;. Such coordinated security risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments should identify measures, mitigation plans and best practices to counter critical dependencies, potential single points of failure, threats, vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and other risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the supply chain and should explore ways to further encourage their wider adoption by essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Potential non-technical risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; factors, such as undue influence by a third country on suppliers and service providers, in particular in the case of alternative models of governance, include concealed vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; or backdoors and potential systemic supply disruptions, in particular in the case of technological lock-in or provider dependency.

The coordinated security risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments of critical supply chains, in light of the features of the sector concerned, should take into account both technical and, where relevant, non-technical factors including those defined in Recommendation (EU) 2019/534, in the EU coordinated risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment of the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of 5G networks and in the EU Toolbox on 5G cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; agreed by the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;. To identify the supply chains that should be subject to a coordinated security risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; use and rely on specific critical ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, ICT systems or ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;; (ii) the relevance of specific critical ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, ICT systems or ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; for performing critical or sensitive functions, including the processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;; (iii) the availability of alternative ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, ICT systems or ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;; (iv) the resilience of the overall supply chain of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, ICT systems or ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; throughout their lifecycle against disruptive events; and (v) for emerging ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, ICT systems or ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;, their potential future significance for the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ activities. Furthermore, particular emphasis should be placed on ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, ICT systems or ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; that are subject to specific requirements stemming from third countries.

In order to streamline the obligations imposed on providers of public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; or of publicly available electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972;, and trust service providers means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014;, related to the security of their network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;, as well as to enable those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and the competent authoritiesas defined in Article 46 under Directive (EU) 2018/1972 of the European Parliament and of the Council(²⁰)Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (OJ L 321, 17.12.2018, p. 36). and Regulation (EU) No 910/2014 respectively to benefit from the legal framework established by this Directive, including the designation of a CSIRT responsible for incident handling means any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident;, the participation of the competent authoritiesas defined in Article 46 concerned in the activities of the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and the CSIRTscomputer security incident response teams network, those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should fall within the scope of this Directive. The corresponding provisions laid down in Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 related to the imposition of security and notification requirements on those types of entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should therefore be deleted. The rules on reporting obligations laid down in this Directive should be without prejudice to Regulation (EU) 2016/679 and Directive 2002/58/EC.

The cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; obligations laid down in this Directive should be considered to be complementary to the requirements imposed on trust service providers means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014; under Regulation (EU) No 910/2014. Trust service providers means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014; should be required to take all appropriate and proportionate measures to manage the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed to their services, including in relation to customers and relying third parties, and to report incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; under this Directive. Such cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; and reporting obligations should also concern the physical protection of the services provided. The requirements for qualified trust service providers means a qualified trust service provider as defined in Article 3, point (20), of Regulation (EU) No 910/2014; laid down in Article 24 of Regulation (EU) No 910/2014 continue to apply.

Member States can assign the role of the competent authoritiesas defined in Article 46 for trust services means a trust service as defined in Article 3, point (16), of Regulation (EU) No 910/2014; to the supervisory bodies under Regulation (EU) No 910/2014 in order to ensure the continuation of current practices and to build on the knowledge and experience gained in the application of that Regulation. In such a case, the competent authoritiesas defined in Article 46 under this Directive should cooperate closely and in a timely manner with those supervisory bodies by exchanging relevant information in order to ensure effective supervision and compliance of trust service providers means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014; with the requirements laid down in this Directive and in Regulation (EU) No 910/2014. Where applicable, the CSIRT or the competent authorityas defined in Article 46 under this Directive should immediately inform the supervisory body under Regulation (EU) No 910/2014 about any notified significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; or incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; affecting trust services means a trust service as defined in Article 3, point (16), of Regulation (EU) No 910/2014; as well as about any infringements by a trust service provider means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014; of this Directive. For the purpose of reporting, Member States can, where applicable, use the single entry point established to achieve a common and automatic incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reporting to both the supervisory body under Regulation (EU) No 910/2014 and the CSIRT or the competent authorityas defined in Article 46 under this Directive.

Where appropriate and in order to avoid unnecessary disruption, existing national guidelines adopted for the transposition of the rules related to security measures laid down in Articles 40 and 41 of Directive (EU) 2018/1972 should be taken into account in the transposition of this Directive, thereby building on the knowledge and skills already acquired under Directive (EU) 2018/1972 concerning security measures and incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notifications. ENISA can also develop guidance on security requirements and on reporting obligations for providers of public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; or of publicly available electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972; to facilitate harmonisation and transition and to minimise disruption. Member States can assign the role of the competent authoritiesas defined in Article 46 for electronic communications to the national regulatory authorities under Directive (EU) 2018/1972 in order to ensure the continuation of current practices and to build on the knowledge and experience gained as a result of the implementation of that Directive.

Given the growing importance of number-independent interpersonal communications services as defined in Directive (EU) 2018/1972, it is necessary to ensure that such services are also subject to appropriate security requirements in view of their specific nature and economic importance. As the attack surface continues to expand, number-independent interpersonal communications services, such as messaging services, are becoming widespread attack vectors. Malicious perpetrators use platforms to communicate and attract victims to open compromised web pages, therefore increasing the likelihood of incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; involving the exploitation of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, and, by extension, the security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems;. Providers of number-independent interpersonal communications services should ensure a level of security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; appropriate to the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed to such services can be considered in some respects to be lower than for traditional electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972;. The same applies to interpersonal communications services as defined in Directive (EU) 2018/1972 which make use of numbers and which do not exercise actual control over signal transmission.

The internal market is more reliant on the functioning of the internet than ever. The services of almost all essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are dependent on services provided over the internet. In order to ensure the smooth provision of services provided by essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, it is important that all providers of public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; have appropriate cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures in place and report significant incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; in relation thereto. Member States should ensure that the security of the public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; is maintained and that their vital security interests are protected from sabotage and espionage. Since international connectivity enhances and accelerates the competitive digitalisation of the Union and its economy, incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; affecting undersea communications cables should be reported to the CSIRT or, where applicable, the competent authorityas defined in Article 46. The national cybersecurity strategy means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;should, where relevant, take into account the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of undersea communications cables and include a mapping of potential cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and mitigation measures to secure the highest level of their protection.

In order to safeguard the security of public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; and publicly available electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972;, the use of encryption technologies, in particular end-to-end encryption as well as data-centric security concepts, such as cartography, segmentation, tagging, access policy and access management, and automated access decisions, should be promoted. Where necessary, the use of encryption, in particular end-to-end encryption should be mandatory for providers of public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; or of publicly available electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972; in accordance with the principles of security and privacy by default and by design for the purposes of this Directive. The use of end-to-end encryption should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences in accordance with Union law. However, this should not weaken end-to-end encryption, which is a critical technology for the effective protection of data and privacy and the security of communications.

In order to safeguard the security, and to prevent abuse and manipulation, of public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; and of publicly available electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972;, the use of secure routing standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). should be promoted to ensure the integrity and robustness of routing functions across the ecosystem of internet access service providers.

In order to safeguard the functionality and integrity of the internet and to promote the security and resilience of the DNS, relevant stakeholders including Union private-sector entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, providers of publicly available electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972;, in particular internet access service providers, and providers of online search engines means an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council (^32^); Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). should be encouraged to adopt a DNS resolution diversification strategy. Furthermore, Member States should encourage the development and use of a public and secure European DNS resolver service.

This Directive lays down a multiple-stage approach to the reporting of significant incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of significant incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and allows essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to seek assistance, and, on the other, in-depth reporting that draws valuable lessons from individual incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and improves over time the cyber resilience of individual entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and entire sectors. In that regard, this Directive should include the reporting of incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; that, based on an initial assessment carried out by the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned, could cause severe operational disruption of the services or financial loss for that entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or affect other natural or legal persons by causing considerable material or non-material damage. Such initial assessment should take into account, inter alia, the affected network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;, in particular their importance in the provision of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s services, the severity and technical characteristics of a cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and any underlying vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; that are being exploited as well as the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s experience with similar incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;. Indicators such as the extent to which the functioning of the service is affected, the duration of an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; or the number of affected recipients of services could play an important role in identifying whether the operational disruption of the service is severe.

Where essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 become aware of a significant incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, they should be required to submit an early warning without undue delay and in any event within 24 hours. That early warning should be followed by an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notification. The entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned should submit an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notification without undue delay and in any event within 72 hours of becoming aware of the significant incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, with the aim, in particular, of updating information submitted through the early warning and indicating an initial assessment of the significant incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, including its severity and impact, as well as indicators of compromise, where available. A final report should be submitted not later than one month after the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notification. The early warning should only include the information necessary to make the CSIRT, or where applicable the competent authorityas defined in Article 46, aware of the significant incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and allow the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to seek assistance, if required. Such early warning, where applicable, should indicate whether the significant incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; is suspected of being caused by unlawful or malicious acts, and whether it is likely to have a cross-border impact. Member States should ensure that the obligation to submit that early warning, or the subsequent incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notification, does not divert the notifying entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s resources from activities related to incident handling means any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident; that should be prioritised, in order to prevent incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reporting obligations from either diverting resources from significant incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; response handling or otherwise compromising the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s efforts in that respect. In the event of an ongoing incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; at the time of the submission of the final report, Member States should ensure that entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned provide a progress report at that time, and a final report within one month of their handling of the significant incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;.

Where applicable, essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should communicate, without undue delay, to their service recipients any measures or remedies that they can take to mitigate the resulting risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; from a significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage;. Those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should, where appropriate and in particular where the significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; is likely to materialise, also inform their service recipients of the threat itself. The requirement to inform those recipients of significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; should be met on a best efforts basis but should not discharge those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; from the obligation to take, at their own expense, appropriate and immediate measures to prevent or remedy any such threats and restore the normal security level of the service. The provision of such information about significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; to the service recipients should be free of charge and drafted in easily comprehensible language.

Providers of public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; or of publicly available electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972; should implement security by design and by default, and inform their service recipients of significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; and of measures they can take to protect the security of their devices and communications, for example by using specific types of software means the part of an electronic information system which consists of computer code; or encryption technologies.

A proactive approach to cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; is a vital component means software or hardware intended for integration into an electronic information system; of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management that should enable the competent authoritiesas defined in Article 46 to effectively prevent cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; from materialising into incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; that may cause considerable material or non-material damage. For that purpose, the notification of cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; is of key importance. To that end, entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are encouraged to report on a voluntary basis cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;.

In order to simplify the reporting of information required under this Directive as well as to decrease the administrative burden for entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, Member States should provide technical means such as a single entry point, automated systems, online forms, user-friendly interfaces, templates, dedicated platforms for the use of entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, regardless of whether they fall within the scope of this Directive, for the submission of the relevant information to be reported. Union funding supporting the implementation of this Directive, in particular within the Digital Europe programme, established by Regulation (EU) 2021/694 of the European Parliament and of the Council(²¹)Regulation (EU) 2021/694 of the European Parliament and of the Council of 29 April 2021 establishing the Digital Europe Programme and repealing Decision (EU) 2015/2240 (OJ L 166, 11.5.2021, p. 1)., could include support for single entry points. Furthermore, entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are often in a situation where a particular incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, because of its features, needs to be reported to various authorities as a result of notification obligations included in various legal instruments. Such cases create additional administrative burden and could also lead to uncertainties with regard to the format and procedures of such notifications. Where a single entry point is established, Member States are encouraged also to use that single entry point for notifications of security incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; required under other Union law, such as Regulation (EU) 2016/679 and Directive 2002/58/EC. The use of such single entry point for reporting of security incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; under Regulation (EU) 2016/679 and Directive 2002/58/EC should not affect the application of the provisions of Regulation (EU) 2016/679 and Directive 2002/58/EC, in particular those relating to the independence of the authorities referred to therein. ENISA, in cooperation with the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, should develop common notification templates by means of guidelines to simplify and streamline the information to be reported under Union law and decrease the administrative burden on notifying entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

Where it is suspected that an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; is related to serious criminal activities under Union or national law, Member States should encourage essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, on the basis of applicable criminal proceedings rules in accordance with Union law, to report incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; of a suspected serious criminal nature to the relevant law enforcement authorities. Where appropriate, and without prejudice to the personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; protection rules applying to Europol, it is desirable that coordination between the competent authoritiesas defined in Article 46 and the law enforcement authorities of different Member States be facilitated by the European Cybercrime Centre (EC3) and ENISA.

Personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; are in many cases compromised as a result of incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;. In that context, the competent authoritiesas defined in Article 46 should cooperate and exchange information about all relevant matters with the authorities referred to in Regulation (EU) 2016/679 and Directive 2002/58/EC.

Maintaining accurate and complete databases of domain name registration data (WHOIS data) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; across the Union. For that specific purpose, TLD name registries and entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; should be required to process certain data necessary to achieve that purpose. Such processing should constitute a legal obligation within the meaning of Article 6(1), point (c), of Regulation (EU) 2016/679. That obligation is without prejudice to the possibility to collect domain name registration data for other purposes, for example on the basis of contractual arrangements or legal requirements established in other Union or national law. That obligation aims to achieve a complete and accurate set of registration data and should not result in collecting the same data multiple times. The TLD name registries and the entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; should cooperate with each other in order to avoid the duplication of that task.

The availability and timely accessibility of domain name registration data to legitimate access seekers is essential for the prevention and combating of DNS abuse, and for the prevention and detection of and response to incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;. Legitimate access seekers are to be understood as any natural or legal person making a request pursuant to Union or national law. They can include authorities that are competent under this Directive and those that are competent under Union or national law for the prevention, investigation, detection or prosecution of criminal offences, and CERTs or CSIRTscomputer security incident response teams. TLD name registries and entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; should be required to enable lawful access to specific domain name registration data, which are necessary for the purposes of the access request, to legitimate access seekers in accordance with Union and national law. The request of legitimate access seekers should be accompanied by a statement of reasons permitting the assessment of the necessity of access to the data.

In order to ensure the availability of accurate and complete domain name registration data, TLD name registries and entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; should collect and guarantee the integrity and availability of domain name registration data. In particular, TLD name registries and entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; should establish policies and procedures to collect and maintain accurate and complete domain name registration data, as well as to prevent and correct inaccurate registration data, in accordance with Union data protection law. Those policies and procedures should take into account, to the extent possible, the standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). developed by the multi-stakeholder governance structures at international level. The TLD name registries and the entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; should adopt and implement proportionate procedures to verify domain name registration data. Those procedures should reflect the best practices used within the industry and, to the extent possible, the progress made in the field of electronic identification. Examples of verification procedures may include ex ante controls carried out at the time of the registration and ex post controls carried out after the registration. The TLD name registries and the entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; should, in particular, verify at least one means of contact of the registrant.

TLD name registries and entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; should be required to make publicly available domain name registration data that fall outside the scope of Union data protection law, such as data that concern legal persons, in line with the preamble of Regulation (EU) 2016/679. For legal persons, the TLD name registries and the entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; should make publicly available at least the name of the registrant and the contact telephone number. The contact email address should also be published, provided that it does not contain any personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, such as in the case of email aliases or functional accounts. TLD name registries and entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. Member States should require TLD name registries and entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; to respond without undue delay to requests for the disclosure of domain name registration data from legitimate access seekers. TLD name registries and entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. Those policies and procedures should take into account, to the extent possible, any guidance and the standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). developed by the multi-stakeholder governance structures at international level. The access procedure could include the use of an interface, portal or other technical tool to provide an efficient system for requesting and accessing registration data. With a view to promoting harmonised practices across the internal market, the Commission can, without prejudice to the competences of the European Data Protection Board, provide guidelines with regard to such procedures, which take into account, to the extent possible, the standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). developed by the multi-stakeholder governance structures at international level. Member States should ensure that all types of access to personal and non-personal domain name registration data are free of charge.

Entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; falling within the scope of this Directive should be considered to fall under the jurisdiction of the Member State in which they are established. However, providers of public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; or providers of publicly available electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972; should be considered to fall under the jurisdiction of the Member State in which they provide their services. DNS service providers means an entity that provides: publicly available recursive domain name resolution services for internet end-users; or authoritative domain name resolution services for third-party use, with the exception of root name servers;, TLD name registries, entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller;, cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers, data centre service means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; providers, content delivery network means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; providers, managed service providers means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;, managed security service providers means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;, as well as providers of online marketplaces means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (^31^); Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive) (OJ L 149, 11.6.2005, p. 22)., of online search engines means an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council (^32^); Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). and of social networking services platforms means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations; should be considered to fall under the jurisdiction of the Member State in which they have their main establishment in the Union. Public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; should fall under the jurisdiction of the Member State which established them. If the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; provides services or is established in more than one Member State, it should fall under the separate and concurrent jurisdiction of each of those Member States. The competent authoritiesas defined in Article 46 of those Member States should cooperate, provide mutual assistance to each other and, where appropriate, carry out joint supervisory actions. Where Member States exercise jurisdiction, they should not impose enforcement measures or penalties more than once for the same conduct, in line with the principle of ne bis in idem.

In order to take account of the cross-border nature of the services and operations of DNS service providers means an entity that provides: publicly available recursive domain name resolution services for internet end-users; or authoritative domain name resolution services for third-party use, with the exception of root name servers;, TLD name registries, entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller;, cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers, data centre service means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; providers, content delivery network means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; providers, managed service providers means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;, managed security service providers means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;, as well as providers of online marketplaces means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (^31^); Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive) (OJ L 149, 11.6.2005, p. 22)., of online search engines means an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council (^32^); Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). and of social networking services platforms means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations;, only one Member State should have jurisdiction over those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Jurisdiction should be attributed to the Member State in which the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned has its main establishment in the Union. The criterion of establishment for the purposes of this Directive implies the effective exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary means a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU; with a legal personality, is not the determining factor in that respect. Whether that criterion is fulfilled should not depend on whether the network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; are physically located in a given place; the presence and use of such systems do not, in themselves, constitute such main establishment and are therefore not decisive criteria for determining the main establishment. The main establishment should be considered to be in the Member State where the decisions related to the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures are predominantly taken in the Union. This will typically correspond to the place of the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ central administration in the Union. If such a Member State cannot be determined or if such decisions are not taken in the Union, the main establishment should be considered to be in the Member State where cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; operations are carried out. If such a Member State cannot be determined, the main establishment should be considered to be in the Member State where the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; has the establishment with the highest number of employees in the Union. Where the services are carried out by a group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; of undertakings.

Where a publicly available recursive DNS service is provided by a provider of public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; or of publicly available electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972; only as a part of the internet access service, the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should be considered to fall under the jurisdiction of all the Member States where its services are provided.

Where a DNS service provider means an entity that provides: publicly available recursive domain name resolution services for internet end-users; or authoritative domain name resolution services for third-party use, with the exception of root name servers;, a TLD name registry, an entity providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller;, a cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; provider, a data centre service means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; provider, a content delivery network means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; provider, a managed service provider means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;, a managed security service provider means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management; or a provider of an online marketplace means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (^31^); Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive) (OJ L 149, 11.6.2005, p. 22)., of an online search engine means an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council (^32^); Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). or of a social networking services platform means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations;, which is not established in the Union, offers services within the Union, it should designate a representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; in the Union. In order to determine whether such an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is offering services within the Union, it should be ascertained whether the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s or an intermediary’s website or of an email address or other contact details, or the use of a language generally used in the third country where the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is established, should be considered to be insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that language, or the mentioning of customers or users who are in the Union, could make it apparent that the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is planning to offer services within the Union. The representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; should act on behalf of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and it should be possible for the competent authoritiesas defined in Article 46 or the CSIRTscomputer security incident response teams to address the representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive;. The representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; should be explicitly designated by a written mandate of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to act on the latter’s behalf with regard to the latter’s obligations laid down in this Directive, including incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reporting.

In order to ensure a clear overview of DNS service providers means an entity that provides: publicly available recursive domain name resolution services for internet end-users; or authoritative domain name resolution services for third-party use, with the exception of root name servers;, TLD name registries, entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller;, cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers, data centre service means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; providers, content delivery network means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; providers, managed service providers means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;, managed security service providers means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;, as well as providers of online marketplaces means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (^31^); Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive) (OJ L 149, 11.6.2005, p. 22)., of online search engines means an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council (^32^); Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). and of social networking services platforms means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations;, which provide services across the Union that fall within the scope of this Directive, ENISA should create and maintain a registry of such entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, based on the information received by Member States, where applicable through national mechanisms established for entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to register themselves. The single points of contact should forward to ENISA the information and any changes thereto. With a view to ensuring the accuracy and completeness of the information that is to be included in that registry, Member States can submit to ENISA the information available in any national registries on those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. ENISA and the Member States should take measures to facilitate the interoperability of such registries, while ensuring protection of confidential or classified information. ENISA should establish appropriate information classification and management protocols to ensure the security and confidentiality of disclosed information and restrict the access, storage, and transmission of such information to intended users.

Where information which is classified in accordance with Union or national law is exchanged, reported or otherwise shared under this Directive, the corresponding rules on the handling of classified information should be applied. In addition, ENISA should have the infrastructure, procedures and rules in place to handle sensitive and classified information in accordance with the applicable security rules for protecting EU classified information.

With cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; becoming more complex and sophisticated, good detection of such threats and their prevention measures depend to a large extent on regular threat and vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; intelligence sharing between entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Information sharing contributes to an increased awareness of cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, which, in turn, enhances entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ capacity to prevent such threats from materialising into incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and enables entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to better contain the effects of incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and recover more efficiently. In the absence of guidance at Union level, various factors seem to have inhibited such intelligence sharing, in particular uncertainty over the compatibility with competition and liability rules.

Entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should be encouraged and assisted by Member States to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhancing their capabilities to adequately prevent, detect, respond to or recover from incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; or to mitigate their impact. It is thus necessary to enable the emergence at Union level of voluntary cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information-sharing arrangements. To that end, Member States should actively assist and encourage entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, such as those providing cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; services and research, as well as relevant entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; not falling within the scope of this Directive, to participate in such cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information-sharing arrangements. Those arrangements should be established in accordance with the Union competition rules and Union data protection law.

The processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, to the extent necessary and proportionate for the purpose of ensuring security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; by essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, could be considered to be lawful on the basis that such processing complies with a legal obligation to which the controller is subject, in accordance with the requirements of Article 6(1), point (c), and Article 6(3) of Regulation (EU) 2016/679. Processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; could also be necessary for legitimate interests pursued by essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, as well as providers of security technologies and services acting on behalf of those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, pursuant to Article 6(1), point (f), of Regulation (EU) 2016/679, including where such processing is necessary for cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information-sharing arrangements or the voluntary notification of relevant information in accordance with this Directive. Measures related to the prevention, detection, identification, containment, analysis and response to incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, measures to raise awareness in relation to specific cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, exchange of information in the context of vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; remediation and coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure, the voluntary exchange of information about those incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, and cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, indicators of compromise, tactics, techniques and procedures, cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; alerts and configuration tools could require the processing of certain categories of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, such as IP addresses, uniform resources locators (URLs), domain names, email addresses and, where they reveal personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, time stamps. Processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; by the competent authoritiesas defined in Article 46, the single points of contact and the CSIRTscomputer security incident response teams, could constitute a legal obligation or be considered to be necessary for carrying out a task in the public interest or in the exercise of official authority vested in the controller pursuant to Article 6(1), point (c) or (e), and Article 6(3) of Regulation (EU) 2016/679, or for pursuing a legitimate interest of the essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, as referred to in Article 6(1), point (f), of that Regulation. Furthermore, national law could lay down rules allowing the competent authoritiesas defined in Article 46, the single points of contact and the CSIRTscomputer security incident response teams, to the extent that is necessary and proportionate for the purpose of ensuring the security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; of essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, to process special categories of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; in accordance with Article 9 of Regulation (EU) 2016/679, in particular by providing for suitable and specific measures to safeguard the fundamental rights and interests of natural persons, including technical limitations on the re-use of such data and the use of state-of-the-art security and privacy-preserving measures, such as pseudonymisation, or encryption where anonymisation may significantly affect the purpose pursued.

In order to strengthen the supervisory powers and measures that help ensure effective compliance, this Directive should provide for a minimum list of supervisory measures and means through which the competent authoritiesas defined in Article 46 can supervise essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. In addition, this Directive should establish a differentiation of supervisory regime between essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; with a view to ensuring a fair balance of obligations on those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and on the competent authoritiesas defined in Article 46. Therefore, essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should be subject to a comprehensive ex ante and ex post supervisory regime, while important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should be subject to a light, ex post only, supervisory regime. Important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should therefore not be required to systematically document compliance with cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures, while the competent authoritiesas defined in Article 46 should implement a reactive ex post approach to supervision and, hence, not have a general obligation to supervise those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. The ex post supervision of important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; may be triggered by evidence, indication or information brought to the attention of the competent authoritiesas defined in Article 46 considered by those authorities to suggest potential infringements of this Directive. For example, such evidence, indication or information could be of the type provided to the competent authoritiesas defined in Article 46 by other authorities, entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, citizens, media or other sources or publicly available information, or could emerge from other activities conducted by the competent authoritiesas defined in Article 46 in the fulfilment of their tasks.

The execution of supervisory tasks by the competent authoritiesas defined in Article 46 should not unnecessarily hamper the business activities of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned. Where the competent authoritiesas defined in Article 46 execute their supervisory tasks in relation to essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, including the conduct of on-site inspections and off-site supervision, the investigation of infringements of this Directive and the conduct of security audits or security scans, they should minimise the impact on the business activities of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned.

In the exercise of ex ante supervision, the competent authoritiesas defined in Article 46 should be able to decide on the prioritisation of the use of supervisory measures and means at their disposal in a proportionate manner. This entails that the competent authoritiesas defined in Article 46 can decide on such prioritisation based on supervisory methodologies which should follow a risk-based approach. More specifically, such methodologies could include criteria or benchmarks for the classification of essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; into risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; categories and corresponding supervisory measures and means recommended per risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; category, such as the use, frequency or types of on-site inspections, targeted security audits or security scans, the type of information to be requested and the level of detail of that information. Such supervisory methodologies could also be accompanied by work programmes and be assessed and reviewed on a regular basis, including on aspects such as resource allocation and needs. In relation to public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital;, the supervisory powers should be exercised in line with the national legislative and institutional frameworks.

The competent authoritiesas defined in Article 46 should ensure that their supervisory tasks in relation to essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are carried out by trained professionals, who should have the necessary skills to carry out those tasks, in particular with regard to conducting on-site inspections and off-site supervision, including the identification of weaknesses in databases, hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;, firewalls, encryption and networks. Those inspections and that supervision should be conducted in an objective manner.

In duly substantiated cases where it is aware of a significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; or an imminent risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, the competent authorityas defined in Article 46 should be able to take immediate enforcement decisions with the aim of preventing or responding to an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;.

In order to make enforcement effective, a minimum list of enforcement powers that can be exercised for breach of the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations provided for in this Directive should be laid down, setting up a clear and consistent framework for such enforcement across the Union. Due regard should be given to the nature, gravity and duration of the infringement of this Directive, the material or non-material damage caused, whether the infringement was intentional or negligent, actions taken to prevent or mitigate the material or non-material damage, the degree of responsibility or any relevant previous infringements, the degree of cooperation with the competent authorityas defined in Article 46 and any other aggravating or mitigating factor. The enforcement measures, including administrative fines, should be proportionate and their imposition should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union (the ‘Charter’), including the right to an effective remedy and to a fair trial, the presumption of innocence and the rights of the defence.

This Directive does not require Member States to provide for criminal or civil liability with regard to natural persons with responsibility for ensuring that an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; complies with this Directive for damage suffered by third parties as a result of an infringement of this Directive.

In order to ensure effective enforcement of the obligations laid down in this Directive, each competent authorityas defined in Article 46 should have the power to impose or request the imposition of administrative fines.

Where an administrative fine is imposed on an essential or important entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that is an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where an administrative fine is imposed on a person that is not an undertaking, the competent authorityas defined in Article 46 should take account of the general level of income in the Member State as well as the economic situation of the person when considering the appropriate amount of the fine. It should be for the Member States to determine whether and to what extent public authorities means any government or other public administration entity, including national central banks. should be subject to administrative fines. Imposing an administrative fine does not affect the application of other powers of the competent authoritiesas defined in Article 46 or of other penalties laid down in the national rules transposing this Directive.

Member States should be able to lay down the rules on criminal penalties for infringements of the national rules transposing this Directive. However, the imposition of criminal penalties for infringements of such national rules and of related administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice of the European Union.

Where this Directive does not harmonise administrative penalties or where necessary in other cases, for example in the event of a serious infringement of this Directive, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties and whether they are criminal or administrative should be determined by national law.

In order to further strengthen the effectiveness and dissuasiveness of the enforcement measures applicable to infringements of this Directive, the competent authoritiesas defined in Article 46 should be empowered to suspend temporarily or to request the temporary suspension of a certification or authorisation concerning part or all of the relevant services provided or activities carried out by an essential entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and request the imposition of a temporary prohibition of the exercise of managerial functions by any natural person discharging managerial responsibilities at chief executive officer or legal representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; level. Given their severity and impact on the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ activities and ultimately on users, such temporary suspensions or prohibitions should only be applied proportionally to the severity of the infringement and taking account of the circumstances of each individual case, including whether the infringement was intentional or negligent, and any actions taken to prevent or mitigate the material or non-material damage. Such temporary suspensions or prohibitions should only be applied as a last resort, namely only after the other relevant enforcement measures laid down in this Directive have been exhausted, and only until the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authorityas defined in Article 46 for which such temporary suspensions or prohibitions were applied. The imposition of such temporary suspensions or prohibitions should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including the right to an effective remedy and to a fair trial, the presumption of innocence and the rights of the defence.

For the purpose of ensuring entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ compliance with their obligations laid down in this Directive, Member States should cooperate with and assist each other with regard to supervisory and enforcement measures, in particular where an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; provides services in more than one Member State or where its network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; are located in a Member State other than that where it provides services. When providing assistance, the requested competent authorityas defined in Article 46 should take supervisory or enforcement measures in accordance with national law. In order to ensure the smooth functioning of mutual assistance under this Directive, the competent authoritiesas defined in Article 46 should use the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; as a forum to discuss cases and particular requests for assistance.

In order to ensure effective supervision and enforcement, in particular in a situation with a cross-border dimension, a Member State that has received a request for mutual assistance should, within the limits of that request, take appropriate supervisory and enforcement measures in relation to the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that is the subject of that request, and that provides services or has a network and information system means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; on the territory of that Member State.

This Directive should establish cooperation rules between the competent authoritiesas defined in Article 46 and the supervisory authorities under Regulation (EU) 2016/679 to deal with infringements of this Directive related to personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;.

This Directive should aim to ensure a high level of responsibility for the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations at the level of the essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Therefore, the management bodies means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32). of the essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should approve the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and oversee their implementation.

In order to ensure a high common level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; across the Union on the basis of this Directive, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of supplementing this Directive by specifying which categories of essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are to be required to use certain certified ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;, ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; and ICT processes or obtain a certificate under a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making(²²)OJ L 123, 12.5.2016, p. 1.. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups means a group as defined in Article 2, point (11), of Directive 2013/34/EU; dealing with the preparation of delegated acts.

In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission to lay down the procedural arrangements necessary for the functioning of the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and the technical and methodological as well as sectoral requirements concerning the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures, and to further specify the type of information, the format and the procedure of incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and near miss means a near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555; notifications and of significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; communications, as well as cases in which an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; is to be considered to be significant. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(²³)Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13)..

The Commission should periodically review this Directive, after consulting stakeholders, in particular with a view to determining whether it is appropriate to propose amendments in light of changes to societal, political, technological or market conditions. As part of those reviews, the Commission should assess the relevance of the size of the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned, and the sectors, subsectors and types of entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; referred to in the annexes to this Directive for the functioning of the economy and society in relation to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;. The Commission should assess, inter alia, whether providers, falling within the scope of this Directive, that are designated as very large online platforms within the meaning of Article 33 of Regulation (EU) 2022/2065 of the European Parliament and of the Council(²⁴)Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ L 277, 27.10.2022, p. 1). could be identified as essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; under this Directive.

This Directive creates new tasks for ENISA, thereby enhancing its role, and could also result in ENISA being required to carry out its existing tasks under Regulation (EU) 2019/881 to a higher level than before. In order to ensure that ENISA has the necessary financial and human resources to carry out existing and new tasks, as well as to meet any higher level of execution of those tasks resulting from its enhanced role, its budget should be increased accordingly. In addition, in order to ensure the efficient use of resources, ENISA should be given greater flexibility in the way that it is able to allocate resources internally for the purpose of effectively carrying out its tasks and meeting expectations.

Since the objective of this Directive, namely to achieve a high common level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; across the Union, cannot be sufficiently achieved by the Member States but can rather, by reason of the effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective.

This Directive respects the fundamental rights, and observes the principles, recognised by the Charter, in particular the right to respect for private life and communications, the protection of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, the freedom to conduct a business, the right to property, the right to an effective remedy and to a fair trial, the presumption of innocence and the rights of the defence. The right to an effective remedy extends to the recipients of services provided by essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. This Directive should be implemented in accordance with those rights and principles.

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(²⁵)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). and delivered an opinion on 11 March 2021(²⁶)OJ C 183, 11.5.2021, p. 3.,